Fluid Attacks Database

Description

Deserialization of Untrusted Data in Jython Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.python:jython-standalone	>=0 <2.7.1	2.7.1
debian 14	jython	>=0 <2.5.3-17	2.5.3-17
maven	org.python:jython	>=0 <2.7.1-rc1	2.7.1-rc1
debian 12	jython	>=0 <2.5.3-17	2.5.3-17
debian 13	jython	>=0 <2.5.3-17	2.5.3-17
debian 11	jython	>=0 <2.5.3-17	2.5.3-17

Aliases

1. CVE-2016-40002. NVD-2016-40003. OSV-2016-40004. OSV-DEBIAN-2016-40005. GCVE-2016-40006. SECURITY-TRACKER-CVE-2016-40007. security.gentoo.org

References

1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=8648592. https://hg.python.org/jython/file/v2.7.1rc1/NEWS3. https://hg.python.org/jython/rev/d06e29d100c04. https://lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533@%3Cdevnull.infra.apache.org%3E5. https://www.oracle.com/security-alerts/cpuapr2020.html6. https://www.oracle.com/security-alerts/cpujan2020.html7. https://www.oracle.com/security-alerts/cpujul2020.html8. https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html9. https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html10. https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html11. http://bugs.jython.org/issue245412. http://www.debian.org/security/2017/dsa-389313. http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html